OPC UA communication
9.2 Security at OPC UA
Communication
Function Manual, 11/2019, A5E03735815-AH
155
Using the CSR
There are two ways to use a CSR:
● You send the CSR to a certificate authority (CA): Read the information of the respective
certification authority. The certificate authority (CA) checks your information and identity
(authentication) and signs the certificate with the private key of the certificate authority.
You receive the signed X.509 certificate and use this certificate for OPC UA, HTTPS or
Secure OUC (secure open user communication), for example. Your communication
partners use the public key of the certificate authority to check whether your certificate
was really issued and signed by that CA (i.e. that the certificate authority has confirmed
your information).
● You sign the CSR yourself: Using your private key. This option is shown in the next step.
Signing the certificate yourself
Enter the following command so that you can generate and sign your certificate (self-signed
certificate) yourself: "x509 -req -days 365 -in myRequest.csr -signkey myKey.key -out
myCertificate.crt".
The figure below shows the command line with the command and OpenSSL:
The command generates an X.509 certificate with the attributes that you transfer with the
CSR (in the example "myRequest.csr"), for example with a validity of one year (-days 365).
The command also signs the certificate with your private key ("myKey.key" in the example).
Your communication partners can use your public key (contained in your certificate) to check
that you are in possession of the private key that belongs to this public key. This also
prevents your public key from being misused by an attacker.
With self-signed certificates, you yourself confirm that the information in your certificate is
correct. There is no independent body that checks your information.
See also
Handling of the client certificates of the S7-1500 CPU (Page 272)
To Next Page
Loading...
Need help?
General
